Cookies and GDPR: What you need to know

Published on 4th December 2017

Cookies and GDPR compliance, perhaps you haven’t thought about how regulation changes could impact the way you market? Find out everything you need to know about how GDPR will affect the way you use web analytics tools like cookies in your business.

Cookies have become a familiar fixture for most web users. Web analytics tools allow businesses to track visitor engagement on their website and follow up with marketing activity. Useful for your marketing team? Certainly. GDPR compliant? Well, that’s where the waters get a little muddy.

What do the guidelines say about Cookies and GDPR compliance?

Cookies are only referenced once in the GDPR guidelines:

‘Recital 30: Natural Persons may be associated with online identities…such as internet protocol addresses, cookie identifiers or other identifiers…This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.’

In plain English this means; if you use cookies to uniquely identify a device or the person using that device, that’s now treated as personal data under GDPR.

Not all cookies are used in a way that could identify users, but the majority are. This means cookies used for analytics, advertising and functional services such as surveys and chat tools are at risk of non-compliance under GDPR. A risk that comes with a hefty penalty.

Why are Cookies potentially non-compliant with GDPR?

Cookies often contain pseudonymous identifiers (e.g. strings of numbers or letters) to give them uniqueness. Under GDPR it is this uniqueness that qualifies them as personal data. So, any cookie that is capable of identifying an individual, or treating them as unique without explicitly identifying them means your business is processing personal data.

In order to process the personal data of EU citizens, GDPR now requires you to gain definite and provable consent. It is this which puts the use of cookies at risk of non-compliance.

What’s changing with consent?

Gaining valid consent is one of the crucial changes that GDPR is making to the collection and processing of personal data. You can find out more about all the changes here. However, since it’s such a huge topic we’ll keep our focus to consent as it applies to the use of cookies in this article:

Implied Consent is no longer enough: Previously, most businesses have relied on the idea of ‘implied consent’. I.e. Visitors have offered an email address or phone number, they have visited your website and taken some kind of action. Under GDPR this is no longer enough. Consent must be given via an affirmative action, such as clicking an opt-in box or setting preferences. Crucially, opt-in to one type of contact does not qualify your business to assume consent for all types of contact.

It must be as easy to withdraw consent as it is to give it: Even after you have gained consent to process an individual’s personal data it must be easy for them to change their preference. If you ask for consent via and opt-in-box, for example, and opt-out must be equally visible.

Soft Opt-In is not sufficient: We are all familiar with the ‘by using this site, you accept cookies’ message that pops up on websites. We all probably use just such a message on our own websites. However, under GDPR if there’s no valid consent option it does not count as consent at all. You must make it possible to accept and reject cookies.

How can I continue to use cookies under GDPR?

To cut a long story short, using cookies in the established way is going to become increasingly hard. Cookies are not banned under GDPR. However, if you can’t prove consent on an individual basis you’re at risk of non-compliance.

If you can prove that your business has a lawful ground to collect and process the data in question then you can continue to do so. However, since most businesses rely on implied or opt-out consent it will be increasingly hard to prove lawful consent under the strengthened requirements of GDPR.

Additionally, The Privacy and Electronic Communications Regulations (PECR), aka the ‘cookie law’ is being updated and brought in line with GDPR. Tightening this up will mean more restrictions on how and when data analytics tools like cookies can be used.

So, what I can I do instead to get useful information about my leads?

It’s not all doom and gloom for your marketing department. There are still ways to gather useful information about potential customers without continuing to use cookies. It all comes down to consent.

The solution is this: make it easy for your leads give that consent, and give them an equally clear opt-out. You can then continue to process their personal data (name, email address etc.). Going forward this could mean that your lead quality increases and you can begin engaging with people who are genuinely interested in your products or services.

How can I make sure my business is GDPR compliant?

That’s a great question. There’s a lot of information out there about what you have to do to be GDPR compliant, but less about how to actually do so. At Automated Intelligence we’re dedicated to helping businesses understand GDPR and achieve compliance.

That’s why we built GDPR Powered by AI.DATALIFT. This dedicated software takes the complication out of GDPR compliance; hosted on Microsoft Azure, it anticipates all of your GDPR needs. If you’re interested in getting a demo or simply want to find out a little bit more about GDPR compliance, get in touch today.